what is the CAS 6.6.x SSO endpoint as SP in delegated SAML AuthN?

[Yan Zhou]

Hi, 

This is my environment:

CAS 6.6.x, SAML2 delegated authN,  SpringBoot app -> CAS -> Okta (CAS delegates to Okta, CAS is a SP to Okta, Okta is IDP).

one trouble I have is on client app side, it needs to specify IDP, which should be CAS, but I do not know what should be the CAS SSO endpoint below (since CAS is also a SP to Okta).  I tried /cas/login, as I go to the client app, it redirects to CAS login page, I see the external identity provider on login page.   However, autoRedirect is not working, that tells me something is not set up correctly.  

Did I have SSO endpoint correct in the following:  /cas/login, /cas/logout?

Yan

IDP meta data file placed on sprintboot client app side

====================================

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/exkas4vj25jdUfJEx5d7">
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
</ds:KeyInfo>

......................................................
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=
"https://localhost:8443/cas/logout"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:8443/cas/logout"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8443/cas/login"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:8443/cas/login"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>

cas.properties, runs on localhost:8443/cas

=============

cas.authn.pac4j.saml[0].keystorePath=file:///C:/apereocas66x/config/casas-samlsp/samlkeystore
cas.authn.pac4j.saml[0].keystorePassword=changeit
cas.authn.pac4j.saml[0].keystoreAlias=cas-samlsp
cas.authn.pac4j.saml[0].privateKeyPassword=changeit
cas.authn.pac4j.saml[0].serviceProviderEntityId=https://localhost:8443/cas/samlsp
cas.authn.pac4j.saml[0].clientName=bootsp2
cas.authn.pac4j.saml[0].forceAuth=false
cas.authn.pac4j.saml[0].passive=false
cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=3600
cas.authn.pac4j.saml[0].serviceProviderMetadataPath=file:///C:/apereocas66x/config/casas-samlsp/sp-metadata.xml
cas.authn.pac4j.saml[0].identityProviderMetadataPath=https://............okta.com/app/.........../sso/saml/metadata
cas.authn.pac4j.saml[0].destinationBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
cas.authn.pac4j.saml[0].userNameQualifier=false
cas.authn.pac4j.saml[0].autoRedirect=true

==

client app service registry, sprint boot app runs on localhost:8081

{
  "@class" : "org.apereo.cas.services.CasRegisteredService",
  "serviceId" : "^http://localhost:8081(/.*)?",
  "name" : "myclientapp",
  "id" : 1005,
  "description" : "sample",
  "accessStrategy" : {
    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
    "delegatedAuthenticationPolicy" : {
      "@class" : "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
      "allowedProviders" : [ "java.util.ArrayList", [ "bootsp2" ] ]
    }
  }
}

[Ray Bon]

Yan,

My local OIDC goes to cas/oidc/oidcAuthorize where cas redirects to /cas/login. In your case, cas should redirect to the remote IdP.

The cas endpoints are described here, https://apereo.github.io/cas/6.6.x/authentication/OIDC-Authentication.html (though I note that the protocol differs from what my client is doing above and says cas/oidc/authorize).

Your client app should know nothing about how or where the login takes place. It should only know about cas. That way you can change the upstream IdP in cas and not have to make changes to your client.

Ray

On Fri, 2023-08-25 at 11:49 -0700, Yan Zhou wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

[Yan Zhou]

Hi, 

Mine is SAML2. 

based on the principle that Client App should not be aware of whether CAS is the IDP or CAS is delegating, I thought SSO url remains the same:  https://localhost:8443/cas/idp/profile/SAML2/POST/SSO

But when client app redirects to this above SSO endpoint, CAS is looking for service registry for "org.apereo.cas.support.saml.services.SamlRegisteredService", but my client app is of:  "org.apereo.cas.services.CasRegisteredService" in JSON, since it delegates to external IDP.

now I got this error in CAS log, my app runs on localhost:8081, CAS cannot find it in registry. I do not  know why it is looking for SamlRegisteredServices, I do not want CAS to be the IDP.

[org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <[http://localhost:8081/saml/metadata] is not found in the registry or service access is denied.>
2023-08-25 16:13:41,975 WARN [https-jsse-nio-8443-exec-5] [org.apereo.cas.util.function.FunctionUtils] - <screen.service.error.message>
org.apereo.cas.services.UnauthorizedServiceException: screen.service.error.message
at org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.verifySamlRegisteredService(AbstractSamlIdPProfileHandlerController.java:172) ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9]
at org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.verifySamlAuthenticationRequest(AbstractSamlIdPProfileHandlerController.java:490) ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9]
at 

Yan

[Yan]

Hi there, 

I made a mistake, changed dependencies without rebuilding the project.  Now made progress, auto-redirect is working now, 

Client App goes to IDP directly (because the IDP meta data generated by CAS has Okta URL in it).  But after I login through Okta, it redirects to CAS, this is where I still got problem.

URL is:  https://localhost:8443/cas/login?client_name=bootsp2

Error:

2023-08-25 17:02:54,604 DEBUG [https-jsse-nio-8443-exec-5] [org.pac4j.core.client.Clients] - <Found client: #SAML2Client# | name: bootsp2 | callbackUrl: https://localhost:8443/cas/login | urlResolver: null | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@2a2798a2 | ajaxRequestResolver: null | redirectionActionBuilder: null | credentialsExtractor: null | authenticator: null | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@2b9ecd05 | logoutActionBuilder: org.pac4j.core.logout.NoLogoutActionBuilder@31f1b268 | authorizationGenerators: [] | checkAuthenticationAttempt: true | for name: bootsp2>
2023-08-25 17:02:54,604 DEBUG [https-jsse-nio-8443-exec-5] [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - <Client identifier could not found in request parameters. Looking at relay-state for the SAML2 client>
2023-08-25 17:02:54,605 DEBUG [https-jsse-nio-8443-exec-5] [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - <Located delegated client identifier []>
2023-08-25 17:02:54,605 ERROR [https-jsse-nio-8443-exec-5] [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - <Delegated client identifier cannot be located in the authentication request [https://localhost:8443/cas/login?client_name=bootsp2]>
2023-08-25 17:02:54,607 ERROR [https-jsse-nio-8443-exec-5] [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - <>
org.apereo.cas.services.UnauthorizedServiceException:
at org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager.retrieveSessionTicketViaClientId(DefaultDelegatedClientAuthenticationWebflowManager.java:236) ~[cas-server-support-pac4j-core-6.6.9.jar!/:6.6.9]
at org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager.retrieve(DefaultDelegatedClientAuthenticationWebflowManager.java:84) ~[cas-server-support-pac4j-core-6.6.9.jar!/:6.6.9]
at org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.restoreAuthenticationRequestInContext(DelegatedClientAuthenticationAction.java:285) ~[cas-server-support-pac4j-webflow-6.6.9.jar!/:6.6.9]
at org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.populateContextWithService(DelegatedClientAuthenticationAction.java:205) ~[cas-server-support-pac4j-webflow-6.6.9.jar!/:6.6.9]
at org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.lambda$doExecute$0(DelegatedClientAuthenticationAction.java:123) ~[cas-server-support-pac4j-webflow-6.6.9.jar!/:6.6.9]
at java.util.Optional.orElseGet(Optional.java:369) ~[?:?]
at org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.doExecute(DelegatedClientAuthenticationAction.java:123) ~[cas-server-support-pac4j-webflow-6.6.9.jar!/:6.6.9]
at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
at org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/97ykZfDIjpg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c398e5f77c4da0e97d32f36a3329163aff3becbe.camel%40uvic.ca.

[Ray Bon]

Yan,

It still sounds like you are mixing the client with the delegated authn (okta).

If your client app is communicating with SAML, then cas should be configured as the IdP for client app. The client app will have cas IdP metadata (with cas url in it) and cas will have client app  SP metadata and the service will be registered as SamlRegisteredService. Hopefully you can test this setup with the default cas user (casuser:Mellon). (You will have to modify the client app json file to turn off redirect.)

Once the cas <-> client app is working correctly, then you can configure cas and okta.

Cas will get okta IdP metadata and okta will get cas SP metadata (_not_ client app). (Remember to turn on redirect in client app json file.)

Sorry about the oidc endpoint stuff. Cas SAML endpoints are here, https://apereo.github.io/cas/6.6.x/authentication/Configuring-SAML2-Authentication.html#saml-endpoints

You will most likely use the /idp/profile/SAML2/Redirect/SSO or /idp/profile/SAML2/POST/SSO endpoints set in your client app.

This post might be useful https://fawnoos.com/2022/03/25/cas66-saml-authn-refeds/

Ray

[Yan Zhou]

Thanks Ray!

Good direction, I finally made some progress after doing what you suggested, except SLO scenario, I posted a new message as that seems to be separate from what this is.

Yan